Friday, 6 September 2013

How to Access the ETC$ Share from a Windows Client using CIFS: Method 1/2 - Active Directory Domain Authentication

This following post
applies to NetApp Data ONTAP 8 running in 7-Mode. The method is ages old,
nothing new here at all, just given the topic a good thorough seeing to.

Starting point

NetApp FAS/V-Series controller has DNS configured.

CIFS is not licensed (and hence cifs setup has not been
run.)

Walkthrough

1) Verify the
correct domain, and correct nameserver(s) are configured on the Filer.

NTAP> rdfile /etc/rc

There should be a
line like:

options dns.domainname domain.com

NTAP> /etc/resolv.conf

For each
nameserver, there should be a line like:

nameserver IP_ADDRESS

2) License CIFS

NTAP> license add
CIFSCODE

(For the 8.1.2 SIM
used here it’s: license add DZDACHD)

3) Setup/check
time services

If the time
difference between the filer and domain controller is more than 5 minutes,
authentication will fail!

NTAP> timezone

NTAP> timezone GB

NTAP> date

NTAP> date
CCYYMMDDHHMM.SS

NTAP> options
timed.enable on

NTAP> options
timed.servers NTP_SERVER_IP/FQDN {,NTP_SERVER2_IP,...}

4) Add a DNS entry
for the filer

Image: Example Host
A record for the filer in DNS Manager

Note: cifs
setup creates a machine account for the filer, but does not create a DNS
A record

5) Create an OU
for the NetApp

Image: Example OU
for NetApp in ADU&C

6) Run cifs setup

The first line is so
you don’t have to change your root password once and then back again (here CIFS
setup prompts for a new password for the root user.) We set history back to the
default 6 after CIFS setup.

NTAP> options
security.passwd.rules.history 0

NTAP> cifs setup

This process will
enable CIFS access to the filer from a Windows(R) system.

Use "?"
for help at any prompt and Ctrl-C to exit without committing changes.

Your filer does
not have WINS configured and is visible only to clients on the same subnet.

Do you want to
make the system visible via WINS?: N

A filer can be
configured for multiprotocol access, or as an NTFS-only filer. Since NFS, DAFS,
VLD, FCP, and iSCSI are not licensed on this filer, we recommend that you configure
this filer as an NTFS-only filer

(1) NTFS-only
filer

(2) Multiprotocol
filer

Selection (1-2)?:
2

CIFS requires
local /etc/passwd and /etc/group files and default files will be created. The default passwd file contains entries for
'root', ‘pcuser', and 'nobody'.

Enter the
password for the root user: XXXX

Retype the
password: XXXX

The default name
for this CIFS server is 'NTAP'.

Would you like to
change this name?: N

Data ONTAP CIFS
services support four styles of user authentication. Choose the one from the
list below that best suits your situation.

The user that you
specified has permission to create the filer's machine account in several (4)
containers. Please choose where you would like this account to be created.

(1) CN=computers

(2) OU=Domain
Controllers

(3) OU=~USERS

(4) OU=~NETAPP CONTROLLERS

(5) None of the
above

Selection (1-5)?:
4

CIFS - Starting
SMB protocol...

It is highly
recommended that you create the local administrator account (NTAP\administrator)
for this filer. This account allows access to CIFS from Windows when domain
controllers are not accessible.

Do you want to create
the NTAP\administrator account?: Y

Enter the new
password for NTAP\administrator: XXXX

Retype the
password: XXXX

Currently the
user "NTAP\administrator" and members of the group "LAB\Domain
Admins" have permission to administer CIFS on this filer. You may specify
an additional user or group to be added to the filer's "BUILTIN\Administrators"
group, thus giving them administrative privileges as well.

Would you like to
specify a user or group that can administer CIFS?: N

Welcome to the
LAB.PRIV (LAB) Active Directory(R) domain.

CIFS local server
is running.

NTAP>

NTAP> options
security.passwd.rules.history 6

Note 1: We chose
multiprotocol filer, even though the recommendation was for NTFS only, since
multiprotocol filers tend to be more common in practice.

Note 2: We
purposely declined adding a user/group in addition to the “LAB\Domain Admins”
etcetera, to demonstrate how to add these in later.

Since the ETC$ share is given “Full Control” to
‘BUILTIN\Administrators’ which includes the ‘DOMAIN\Domain Admins’ group; then,
from a Windows domain-joined workstation logged in as a domain admin, you can
either \\NTAP\ETC$ or map a drive
(without requiring additional credentials):

net use

net use Z: \\NTAP\ETC$

net use /delete Z:

Image: The ETC$
share in Windows Exporer

8) Give
non-‘Domain Admin’ user access

Of course, a
standard user account could just map a drive using a domain admin user
credentials like below:

net use Z: \\NTAP\ETC$ /USER:administrator@lab.priv

net use /delete Z:

To give say the domain account storageadmin access to /etc:

NTAP> useradmin group
add storageadmins

NTAP> useradmin
domainuser add storageadmin@lab.priv -g storageadmins

NTAP> cifs access
ETC$ storageadmins “Full Control”

NTAP> cifs shares

Name Mount Point Description

---- ----------- -----------

ETC$ /etc Remote
Administration

BUILTIN\Administrators / Full Control

NTAP01\storageadmins /
Full Control

HOME /vol/vol0/home Default Share

everyone / Full Control

C$ / Remote
Administration

BUILTIN\Administrators
/ Full Control

Now our storageadmin can do a RUN> \\NTAP\ETC$ or map a drive to \\NTAP\ETC$ without recourse to needing
different credentials.

Note: cifs lookup DOMAIN\user is a handy command for verifying the domain
account exists and also for obtaining the SID.